Support Center / Troubleshooting and general information / DNS leaks when using a VPN

DNS leaks when using a VPN

All Proton VPN apps include DNS leak protection designed to prevent websites and the like that you visit on the internet from identifying your real DNS address. There are some limited circumstances, however, that allow your computer to bypass these protections that can result in third parties being able to see the IP address of the DNS server you are really using.

In this article, we explain what DNS is, how it works, and why manually configuring your DNS settings can prevent our DNS leak protection from working correctly. 

What is DNS?

Every connection to the internet is assigned a unique numerical identifier known as an internet protocol (IP) address. The human brain is not designed to remember long strings of numbers, so we identify internet resources (such as websites and games servers) using more human-friendly text strings known as domain names.

The Domain Name System (DNS) is like a global telephone directory that translates human-friendly URLs to the IP addresses that computers use.

For example, the URL protonvpn.com currently maps to the IP address 185.159.159.140. If you enter 185.159.159.140 into your browser’s web address bar, it will take you to protonvpn.com. (In practice, an IP address can map to multiple websites, and a single domain can map to multiple IP addresses. But in essence, this is what DNS does.)

DNS and privacy

DNS resolution is the process of translating a domain into its matching IP address. It is performed by DNS servers, which by default are operated by your internet service provider (ISP).

Almost all ISPs in the world keep logs of DNS queries made by their customers, allowing them to know your browsing history. Although ISPs can track your internet activity in other ways, most confine themselves to simply keeping DNS logs.

Although not usually done by default, it is possible for websites that you visit to see the IP address of the DNS server used to resolve the DNS query that directs you to their site. Armed with this knowledge, they (or anyone else watching the website) can then approach your ISP and ask it to reveal the IP address of whichever customer made the DNS query.

Because DNS resolution is performed by your ISP, knowing the IP address of the DNS server you used allows websites to identify which country you are in. If you are using a VPN or proxy to hide your real IP address, but your ISP’s DNS server IP address is exposed, then this mismatch can allow websites to know that you are trying to mask your real identity. 

DNS, Proton VPN, and DNS leak protection

Proton VPN addresses this threat by running our own DNS servers. As with all other internet traffic, DNS queries are routed through the VPN tunnel to be resolved on our servers. 

To the outside world, your DNS address will differ from the IP address of your VPN server, but it will belong to the same data center. It will therefore closely match the VPN server’s physical location. (Note that IPv6 connections are simply blocked at this time, which has no effect on your internet experience.) 

Proton VPN does not log DNS queries, and by Swiss law cannot be forced to start logging them. We also do not log the IP addresses of our users. 

Learn more about Proton VPN’s threat model

All our apps implement DNS leak protection, using firewall rules and other platform-specific techniques to ensure no internet traffic – including DNS queries – can enter or exit your device outside the VPN interface. 

However, there are a limited number of circumstances where DNS queries might be routed outside the VPN tunnel.

Third-party DNS services

Manually configuring your device’s global DNS settings to use a third-party DNS service, such as Google Public DNS, Cloudflare, or OpenNIC, increases the chance of something going wrong, as it is possible the custom settings will override our DNS leak prevention measures. 

We therefore strongly recommend against using third-party DNS services with Proton VPN. Below are guides to disabling custom DNS configurations on all major platforms.

Windows 10

1. Go to StartSettingsNetwork & Internet → your network interface (e.g. WiFi or Ethernet) → Related settingsChange adapter options

2. Right-click on your network interface → Properties → Internet Protocol Version 4 (TCP/IPv4)Properties.

Windows IPv4 setting

3. Ensure Obtain DNS server addresses automatically is selected, then click OK.

Enable Obtain DNS server addresses automatically

4. If you have an IPv6 connection (or if you’re not sure if you do), repeat steps 2 and 3 for Internet Protocol Version 6 (TCP/IPv6).

macOS

Go to System PreferencesNetwork → ensure your network interface is selected (e.g., WiFi or Ethernet) → Advanced… → DNS tab. Select any third-party DNS servers (if there are any), then click the button to remove them. Click OK when you’re done.

Delete third party DNS services in macOS

Linux

Each Linux distro and desktop environment offers a different (although often very similar) user interface for changing DNS settings. In Ubuntu GNOME, for example:

1. Go to Show ApplicationsAllSettingsNetwork and click the gear icon next to your network interface.

Find your network connection

2. Go to the IPv4 and IPv6 tabs. Under DNS, ensure the Automatic switch is toggled on and delete any DNS entries you see. Click Apply when you’re done.

Enable automatic DNS

Android 9+

Android 9+ offers Private DNS, a system-wide feature that automatically protects the connection to your ISP’s DNS servers using DoT (if this is supported by your ISP – see below for more details), or that allows you to specify a custom DNS provider. To disable Private DNS:

1. Open the Settings app and go to ConnectionsMore connection settingsPrivate DNSOff.

Turn Private DNS Mode off in Android

Chrome OS

Go to Settings → select your network interface (e.g. WiFi or Ethernet. If using WiFi you will also need to select a known network) → Advanced → Name servers and ensure Automatic name servers is selected.

Select automatic name servers on Chromebooks

 

iOS and older versions of Android 

The only way to change the global DNS settings in iOS/iPadOS and Android versions earlier than Android 9 Pie is to use a third-party app that creates a dummy VPN interface to work. 

Since it is only possible to have one VPN connection at a time, you can’t run these apps alongside Proton VPN anyway. 

DNS over HTTPS

DNS over HTTPS (DoH) is an encryption standard that encrypts DNS queries to the DNS server. DoH only works if the standard is supported by the DNS provider, but is now offered by an increasing number of third-party DNS services (although rarely by ISPs).

Unfortunately, this compounds the problem with using third-party DNS services because the encryption prevents our software from being able to see the DNS queries. This makes it very hard to block or reroute them.

We therefore strongly recommend against using DoH (and the similar DNS over TLS standard) with Proton VPN. When using our apps, all DNS queries are sent through the VPN connection to our servers, and are thus securely encrypted without the need for DoH or DoT.

On desktop systems, DoH is usually implemented inside your browser, and is supported by most modern browsers (except Safari). DoH and DoT are supported on mobile devices via Android Private DNS or standalone apps (as described above).

How to disable DoH in your desktop browser

Firefox

Go to SettingsGeneralSettings. At the bottom of the page, ensure Enable DNS over HTTPS is disabled.

Disable DNS over HTTPS in Firefox

Chrome

Click the three-dot vertical ellipse icon → SettingsPrivacy and SecurityPrivacy and securitySecurityAdvanced and ensure Use secure DNS is off

Disable use secure DNS in Chrome

(On a Chromebook, go to Settings Privacy and securityAdvanced

Edge Chromium

Click the three-dot horizontal ellipse icon → Settings Privacy, search, and servicesSecurity and ensure Use secure DNS to specify how to lookup the network address for websites is off.

Disable use secure DNS in Edge

Brave

Go to  SettingsPrivacy and SecuritySecurityAdvanced and ensure Use secure DNS is off

Disable use secure DNS in Chrome

Your connection to the VPN server is interrupted

If the connection between your device and the VPN server is interrupted, you might access the internet without the protection of the VPN. Among other things, this means DNS queries might be sent to your system’s default DNS server (which is probably run by your ISP).

This issue is easy to address by enabling the kill switch feature, which is now available in all our apps.

How to check for DNS leaks

1. Open our app and connect to one of our servers. For the purpose of running a DNS leak test, connecting to a VPN in a different country makes DNS leaks easier to spot.

2. Visit DNS leak test.com in your browser. You should see the IP address of the VPN server you have connected to. Choose either a Standard test or an Extended test. For the purposes of this guide, we’ll choose an extended test.

See your external IP addresss

3. Wait for the test to complete and look at the results. If the IP address shown is that of your real ISP, then you have a DNS leak. Please see above for solutions.

DNS leak test reslts

Note that Proton VPN partners with infrastructure providers around the world, so the ISP may be a third-party provider. As long as the IP address does not belong to your real ISP, you do not have a DNS leak. 

Post Comment

6 comments

  1. Hello

    What is your DNS server?
    As of Plus user, I connected Proton with my router. I want to find out how to ensure my DNS server setting is connected with Proton to aviod unleakable.

    Thanks!

  2. ProtonVPN Team

    Hey, all of the DNS requests are resolved on the server itself so each VPN server is running a DNS server. The address is 10.8.8.1 for UDP connections and 10.7.7.1 for TCP connections.

  3. frank

    do you log for dns queries ?

  4. ProtonVPN Team

    Hello Frank, since DNS queries are resolved on the server itself, they are also encrypted and not logged as per our security policies.

  5. Peter

    When I performed the extended look-up on the DNS leak test site.

    This displayed my beginning IP and the Protonmail secure core

    Why?

  6. ProtonVPN Team

    Hello Peter, that should not happen so please send the results to our support team. https://protonvpn.com/support-form

Comments are closed.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN